open source security assessment framework

Dradis

is an open source framework to enable effective information sharing, specially during security assessments.

Dradis is a self-contained web application that provides a centralized repository of information to keep track

This application is suited to people in lengthy engagements, it’s very useful to have all the information in one place. It’s also good to have if your team changes (i.e. someone joins half the way through), it will be useful to bring them up to speed.

Download Link : Click Here

************************************************************************************

Open Source Live-CD for Computer Forensic

PlainSight :
is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools.

We have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

Download Link : Click Here

********************************************************************************

DEFT 6 :
is based on Lubuntu with Kernel 2.6.35 (Linux side) and DEFT Extra 3.0 (Windows side) with the best freeware Computer Forensic tools; it is a new concept of Computer Forensic live system, ewflib ready, that use WINE for run Windows Computer Forensics tools under Linux.

DEFT live-cd for incident-response & corporate/gov forensics and a DEFT-based persistent environment for acquisition-analysis within the inhouse forensic lab.

Download Link : Click here

**********************************************************************************

Open Source Live-CD for Penetration testing

BackBox :
is a Linux distribution based on Ubuntu Lucid 10.04 LTS developed to perform penetration tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories always been updated to the last stable version of the most known and used ethical hacking tools.

Hacking tools new or updated: Firefox 4, Hydra 6.2, Kismet 2011.03.2, Metasploit Framework 3.6.0, NMap 5.51, SET 1.3.5, SqlMap 0.9, sslstrip 0.8, w3af 1.0-rc5, weevely 0.3, WhatWeb 1.4.7,

Wireshark 1.4.5, Zaproxy 1.2, etc

Download Link : Click Here

**************************************************************************************************************************************

Blackbuntu :
is distribution for penetration testing which was specially designed for security training students and practitioners of information security.

Blackbuntu is Ubuntu base distro for Penetration Testing with GNOME Desktop Environment. It's currently being built using the Ubuntu 10.10.

Download Link : Click here

***********************************************************************************

Open Source network firewall

NetDefender :
is a Free Firewall with source code, which can be downloaded along with firewall executables. Netdefender works on windows 2000 and windows XP.

Requirements :

1. Netdefender can only run on an OS higher than windows 2000 (i.e. Win 2000, Win Xp I hope Vista would not break anything)
2. User must has admin rights (i.e. must be member of administrator group ) on the system.

Download Link : Click here

***********************************************************************************
Shorewall :
is a gateway/firewall configuration tool for GNU/Linux.


Download Link : Click here

************************************************************************************

Zorp
is a new generation proxy firewall suite and as such its core architecture is built around today's security demands: it uses application level proxies, it is modular and component based, it uses a script language to describe policy decisions, it makes it possible to monitor encrypted traffic, it let's you override client actions, it let's you protect your servers with its built in IDS capabilities... The list is endless. It gives you all the power you need to implement your local security policy.

Download Link : Click here

***********************************************************************************

Ufw :

stands for Uncomplicated Firewall, and is program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

Download Link : Click here

Thanks

chandru

Best SQL Injection Security Scanners

SQLIer

– SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all.

Get SQLIer : Click Here


SQLbftools

SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack.



Get SQLbftools : Click here

SQL Injection Brute-forcer –
SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application.

Get SQLLibf : Click Here

SQLBrute –
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries.

Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.

SQLMap –
SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.


Get SQLMap : Click Here

Absinthe –
Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.

Get Absinthe: Click here

SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.


SQID –

SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities.

Get SQID : Click here

Blind SQL Injection Perl Tool –
bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection.

Get Blind SQL Injection Perl Tool : Click here

SQL Power Injection Injector –
SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads.

Get SQL Power Injection : Click here

FJ-Injector Framework –
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation.

Get FJ-Injector Framework: Click here

SQLNinja –
SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database.

Get SQLNinja: Click here

Automagic SQL Injector –
The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.

Get Automagic SQL Injector: Click here

NGSS SQL Injector –
NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.

Top Ten Automation Testing tool

QTP

HP-QuickTest Professional software provides functional and regression test automation for software applications and environments. HP QuickTest Professional supports keyword and scripting interfaces and features a graphical user interface. Its features are: a cascaded optimization system, the industry's deepest and broadest insight into IT-controlled assets, and a secure, comprehensive, operational environment for a hybrid world, enhanced expert view, business process testing, screen recorder etc.

Watir

Watir, pronounced water, is an open-source (BSD) family of ruby libraries for automating web browsers. It allows you to write tests that are easy to read and maintain. It is simple and flexible. It clicks links, fills in forms, and presses buttons. Watir also checks results, such as whether expected text appears on the page. Its features are: to connect to databases, read data files and spreadsheets, export XML, and structure your code as reusable libraries etc.










TOSCA Testsuite

TOSCA Testsuite is a software tool for the automated execution of functional and regression software testing. In addition to test automation functions, it includes integrated test management, a graphical user interface (GUI), a command line interface (CLI) and an application programming interface (API), generation of dynamic, synthetic test data, highly automated business dynamic steering of test case generation and the unified handling and executing of manual and automated as well as GUI and non-GUI tests etc.

Selenium

Selenium is a portable software testing framework for web applications. Selenium provides a record/playback tool for authoring tests without learning a test scripting language. It includes features like record and playback, intelligent field selection, Xpath as needed, auto complete for all common selenium commands, walk through tests, debug and set breakpoints, ruby scripts, or other formats, support for selenium user-extensions file, option to automatically assert the title of every page etc.

VISUAL STUDIO TEST PROFESSIONAL

Visual Studio Test Professional is an integrated testing toolset developed by Microsoft that delivers a complete plan-test-track workflow for in-context collaboration between testers and developers, in order to increase testers’ visibility to the overall project. Its features are file actionable bugs, manual testing, re-use manual test recordings, team foundation server, application lifecycle management etc. Whilst rich in features, it is an observation that testing professionals may get overwhelmed and intimidated due to abundance of menu items in the software that have no relevance to them.

WebUI TEST STUDIO

WebUI Test Studio is a tool for automated testing of web applications developed by telerik. WebUI Test Studio is used for testing all type of web applications without the need of writing code. The tool comes in two editions – a visual studio plug-in for software developers, and a standalone edition for QA professionals. Some features are: script less test recording, cross-browser test execution, web element abstraction and reuse, integration with visual studio, sentence-based UI validation, visual storyboard, test customization etc. It solves the problem of pop-ups by opening them in a different browser instance, so that they are not confined in the hosted browser.

RATIONAL FUNCTIONAL TESTER

Rational Functional Tester is an automated functional testing and regression testing tool. Provides testers with automated testing capabilities for functional testing, regression testing, and GUI testing and data-driven testing. It’s features are: simplify test creation and visualization with storyboard testing, provides lifecycle traceability, validate dynamic data with dynamic data validation wizard, streamline automation with keyword testing, proxy SDK, test script version control for parallel development, etc.

TESTCOMPLETE

TestComplete is an automated testing tool that lets you create, manage and run tests for any windows, web or rich client software. It makes it easy for anyone to create automated tests. Some features are open APIs, easy extensibility, tons of documentation, scripted testing for total flexibility, windows and web testing, application support etc. It is an easy to use, all-in-one package that lets anyone start automating tests in minutes with no special skills. It has a low price, powerful features and impressive support resources.

TESTPARTNER

Testpartner is an automated test tool that accelerates functional testing and facilitates the delivery of business-critical applications. Testpartner works via a tiered approach to testing that enables developers, quality experts and non-technical application users to collaborate and test more in the time available. Its features are: visual storyboard oriented approach, automated regression testing, automatic, object-oriented script generation, integrates with VBA etc. TestPartner encourages collaboration between developers, quality experts, and non-technical application users throughout the software development lifecycle, so more testing can be achieved in the available time.

SOA TEST

Parasoft SOAtest automates web application testing, message/protocol testing, cloud testing and security testing. Parasoft SOAtest and Parasoft load test (packaged together) ensure secure, reliable, compliant business processes and seamlessly integrate with Parasoft language products (e.g., Parasoft Jtest) to help teams prevent and detect application-layer defects from the start of the SDLC. Some features are client/server emulation, multi-layer verification, test case organization, regression testing, automatic test case generation, coding standard enforcement, soap -based enterprise system which operates as both the soap client and the soap server. This allows for early module testing of the applications.

TESTDRIVE


TestDrive is a full-featured automated testing solution designed to test GUI and browser applications "out-of-the-box". Significant reductions in timescales and advanced levels of quality can be achieved without the complexity of traditional testing tools. TestDrive integrates with all the other elements of our solution suite so that tests can be run from within Qualify, scripts can be built automatically from manual test results within TestDrive-Assist, and effects in the database can be simultaneously verified in TestBench.

Open Source web security Testing Tools

Watcher

Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won't damage production systems, it's completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

---

Wapiti

File Handling Errors (Local and remote include/require, fopen, readfile...)Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. Capable of handling following. Wapiti supports Database Injection, XSS Injection, LDAP Injection, Command Execution detection, CRLF Injection and many others.

---

WebSecurify

Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community. WebSecurify supports SQL Injection, Local and Remote File Include, Cross Site Scripting/Request Forgery, Information Disclousre Problems, Session Security Problems to name a few among many others.

---

Nikto2

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

---

Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

SQL, PHP, Command, XML/XPath Injection along with String/Integer vulnerabilities, Directory/File intrusions, Script/CSS vulnerabilities, Password/MIME types vulnerabilities, SSL/HTTP/HTML Forms realted vulnerabilities, Failed Website Resource vulnerabilities are very few of the vulnerabilities to mention that Skipfish can address among other host of features.

---

Ettercap

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. It supports Linux, Mac, Windows, Solairs platforms with easy installation.

---

Flawfinder

Flawfinder searches through C/C++ source code looking for potential security flaws. Flawfinder is designed in Pyton and produces a list of ‘‘hits’’ (potential security flaws), sorted by risk; the riskiest hits are shownfirst. The risk level is shown inside square brackets and varies from 0, very little risk, to 5, great risk. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts, and in those contexts the hit will have a lower risk level

---

Honeyd

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.

---

Wireshark

Wireshark, formerly known as Ethereal, is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Wireshark supports Multi-platform and runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others. Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility.

---

BFBTester

BFBTester is good for doing quick, proactive security checks of binary programs. BFBTester will perform checks of single and multiple argument command line overflows and environment variable overflows. It can also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names.



By

chandru

OPen Source Live Web messenger

Open Web Messenger is an open source live support / chat application.

It enables customers / visitors to chat with an operator & get support (where all the chats are logged).

The application supports unlimited operators, visitors & chats. With a web-based admin interface, operators or admins can:

• Send canned messages
• Track where visitors clicked from
• Search porevious chat conversations
• Reassign/transfer chat to another operator
• Mark/highlight nuisance visitors
• View active chats (admins) & more

When there is no available operator, visitors can leave a message & they can be contacted later.

The look & feel of the chat window can be totally customized with the theme support.

This free live support application requires PHP 5 & MySQL 5 to run

Demo : Click here

Cisco Router & Firewall Audit Tool

Secure Cisco Auditor -
state of the art Next Generation network security auditing software for Cisco firewalls, routers and switches along with different Router audit tools and Network security Software.


Secure Cisco Auditor (SCA) is the most advanced user friendly network security auditing software in its domain. Cisco security audit tools are specially designed for network devices such as the Cisco ASA firewall, PIX firewall, routers and switches, as they are normally placed at the entrance and backbone of a company. If Cisco ASA firewall, PIX firewall, router or switch is compromised then most probably the entire network goes down with it. Security risks associated with Cisco ASA firewall, PIX firewall, routers and switches can be avoided by using this network security auditing software.

Download Link: Audit Tool

Open Source Network Monitoring Tools

OpenNMS

www.opennms.org

Features

• Event Management and Notifications


• Discovery and Provisioning


• Service Monitoring


• Data Collection


• Additional Features

I checked out the demo it looks pretty decent

Hyperic

Hyperic’s web infrastructure monitoring and management software automates and streamlines data center operations. HQ helps you reduce operations workload, increase your company’s IT management maturity level, and drive improvements in availability and infrastructure health.

Hyperic offers two versions of its flagship HQ product:

• Hyperic HQ – Hyperic’s open source offering is licensed under GNU GPL v2.

• HQ Enterprise – Hyperic’s industrial strength enterprise offering has all the capabilities of the open source version, plus advanced automation and control features for managing web applications at scale. HQ Enterprise is available as a free trial for download from Hyperic under a Commercial License. The enterprise trial is limited to 50 managed platforms, and typically expires within 30 to 45 days.

Open Source Web application firewalls

Web application firewalls provide security at the application layer. Essentially, WAF provides all your web applications a secure solution which ensures the data and web applications are safe.



A web application firewall applies a set of rules to HTTP conversation to identify and restrict the attacks of cross site scripting, SQL injections etc. You can also get web application framework and web based commercial tools, for providing security to web applications. Web Application Firewalls allows you to customize the rules by identifying and blocking malicious content. Some of the most popular and widely used open source web application firewalls for web application security are –

ModSecurity (Trustwave SpiderLabs)









ModSecurity is one of the oldest and widely used open source web application firewall which can detect application level threats on internet, and provides security against a range of security issues to web applications. It provides non viral open sources license and it can be integrated to Apache programs. Recently, ModSecurity released the version 2.6.0 which provides features for safe browsing API integration, sensitive data tracking and data modification features.






AQTRONIX WebKnight









AQTRONIX WebKnight is an open source application firewall designed specifically for web servers and IIS, and it is licensed through the GNU – General Public License. It provides the features of buffer overflow, directory traversal, encoding and SQL injection to identify / restrict the attacks.







ESAPI WAF









ESAPI WAF is developed by Aspect Security and it is designed to provide protection at the application layer instead of network layer. It is a Java based WAF which provides complete security from online attacks. Some of the unique features of the solution include outbound filtering features which reduce information leakage. It is configuration driven and not code based, and it enables easy installation by just adding configuration details in the text file.






WebCastellum









WebCastellum is a Java based web application firewall which can protect application against cross site scripting, SQL injections, command injections, parameter manipulation, and it can be integrated easily to a java based application. It is based on new technology and it can use existing code to provide protection.






Binarysec









Binarysec is web application software firewall for Apache, and it protects applications against illegitimate HTTP and blocks suspicious requests as well. It provides protection against cross site scripting, commend injections, parameter tampering, buffer overflow, directory traversal, SQL injection and attack obstruction. It takes not more than 10 minutes to install the software, and its user interface can manage Apache servers and many sites on one machine.






Guardian@JUMPERZ.NET









Guardian@JUMPERZ.NET is an open source application layer firewall for HTTPS / HTTP and it assesses the HTTP / HTTPS traffic to protect the web application from external attacks. Guardian@JUMPERZ.NET immediately disconnects the TCP connection when the application comes in contact with a malicious / unauthorized request.






OpenWAF









Art of defense is a San Francisco based web application security provider which started a project on open source OpenWAF in February 2011. It’s also the first company to provide distributed web application firewall for Apache servers.






Ironbee









Qualys created cloud based open source web application firewall - Ironbee which examines the HTTP instead of the traditional IP packets to evaluate a data. It can even track attacks on cross site scripting code. Ironbee is published through Apache License version 2 and it provides no copyright assignment. It has modular structure and is quite easy to use.






Profense









ZION security offers an open source web application firewall similar to ModSecurity, and is called Profense. The web application firewall provided by Zion is essentially a Layer-7 firewall (which is also called “proxy firewall”) and it inspects the traffic to block content.






Smoothwall









Smoothwall provides strong web security tools to manage emails. The open source web filtering engine of Smoothwall is called DansGuardian. It has flexible user rules and a fully integrated component for web filtering and security. What’s more, it provides authenticated network access and traffic blocking. Smoothwall free firewall has security hardened Linux GNU OS too.